kernel: nf_conntrack: table full, dropping packet
What is nf_conntrack?
The Linux Netfilter system (commonly known as the iptables firewall) includes a facility to track connections provided by the nf_conntrack kernel module. The state of a connection is tracked to allow an efficient traversal through the Netfilter firewall tables, as well as to provide the ability to filter based on detailed state of a connection.
What is ip_conntrack?
The Linux Netfilter system (commonly known as the iptables firewall) includes a facility to track connections provided by the ip_conntrack kernel module. The state of a connection is tracked to allow an efficient traversal through the Netfilter firewall tables, as well as to provide the ability to filter based on detailed state of a connection.
Reason?
Heavy traffic (could be D/DOS, or less expected traffic or probably left default without system tweak )
# Check Current Count Value
sysctl net.netfilter.nf_conntrack_count
# Max supported value
sysctl net.netfilter.nf_conntrack_max
# Netstat count
netstat -tn | awk '{n[$6]++} END { for(k in n) { print k, n[k]; }}'
# conntrack timeout value
sysctl -a | grep conntrack | grep timeout
# Increase conn track limit
/sbin/sysctl -w net.netfilter.nf_conntrack_max = 196608
Permament change@
echo net.ipv4.netfilter.ip_conntrack_max = 196608 >> /etc/sysctl.conf
# Heavy traffic tuning
echo "120" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
Howto what is max nf_conntrack assigned?
# /sbin/sysctl -a | grep -i nf_conntrack_max
net.netfilter.nf_conntrack_max = 65536
net.nf_conntrack_max = 65536
Howto: what is current nf_conntrack_count?
linux:~# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 12742
Modules Related
/sbin/lsmod | grep -i ‘ip_tables|conntrack’
nf_conntrack_ipv4 10346 3 iptable_nat,nf_nat
nf_conntrack 60975 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 1073 1 nf_conntrack_ipv4
ip_tables 9899 2 iptable_nat,iptable_filter
x_tables 14175 3 ipt_MASQUERADE,iptable_nat,ip_tables
Remove nf_conntrack if no NAT is required.
/sbin/rmmod iptable_nat
/sbin/rmmod ipt_MASQUERADE
/sbin/rmmod rmmod nf_nat
/sbin/rmmod rmmod nf_conntrack_ipv4
/sbin/rmmod nf_conntrack
/sbin/rmmod nf_defrag_ipv4
It could be simply activated by using command:
iptables -t nat -L -n
Howto Increase value of nf_conntrack?
# sysctl -w net.netfilter.nf_conntrack_max=131072
This must not be altertered unless you are 100% sure what you are doing. And that is not done yet, there is direct relation with hash-table.
# Before Increasing anything i would suggest to decrease these value,
echo "86400" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
echo "90" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
This has to be followed by increasing the size of nf_conntrack hash-table
echo “nf_conntrac_max/4″ >> /sys/module/nf_conntrack/parameters/hashsize
So in this case,
# echo “32768” > /sys/module/nf_conntrack/parameters/hashsize
NOTE: This is critical, and this should not be altered if you donot know what you are doing, and if you donot know iptables/conntrack/nat.
Real time logfile:
netfilter]# ls -al /proc/sys/net/netfilter/nf_log/
total 0
dr-xr-xr-x 0 root root 0 Jul 8 10:16 .
dr-xr-xr-x 0 root root 0 Jul 8 10:16 ..
-rw-r–r– 1 root root 0 Jul 8 10:16 0
-rw-r–r– 1 root root 0 Jul 8 10:16 1
-rw-r–r– 1 root root 0 Jul 8 10:16 10
-rw-r–r– 1 root root 0 Jul 8 10:16 11
-rw-r–r– 1 root root 0 Jul 8 10:16 12
-rw-r–r– 1 root root 0 Jul 8 10:16 2
-rw-r–r– 1 root root 0 Jul 8 10:16 3
-rw-r–r– 1 root root 0 Jul 8 10:16 4
-rw-r–r– 1 root root 0 Jul 8 10:16 5
-rw-r–r– 1 root root 0 Jul 8 10:16 6
-rw-r–r– 1 root root 0 Jul 8 10:16 7
-rw-r–r– 1 root root 0 Jul 8 10:16 8
-rw-r–r– 1 root root 0 Jul 8 10:16 9
Other Internet Material, that i found useful during my research are:
http://pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/
http://backstage.soundcloud.com/2012/08/shoot-yourself-in-the-foot-with-iptables-and-kmod-auto-loading/
